Packet-based data networks continue to grow in importance, and it is often desirable to monitor network traffic associated with these packet-based networks on an ongoing basis. To meet these monitoring needs, copies of network packets can be forwarded to diagnostic network monitoring tools. Packets are often forwarded using network hubs, test access ports (TAPs), and/or switched port analyzer (SPAN) ports available on network switch systems.
To help alleviate the problem of limited access to network packets for monitoring, tool aggregation devices or packet broker devices have also been developed that allow shared access to the monitored network packets. In part, these network packet broker devices allow users to obtain packets from one or more network monitoring points (e.g., network hubs, TAPs, SPAN ports, etc.) and to forward them to different monitoring tools. Network packet brokers can be implemented as one or more packet processing systems in hardware and/or software that provide access and visibility to multiple monitoring tools. These network packet brokers can also aggregate monitored traffic from multiple source links and can load balance traffic of interest to various tools. The traffic of interest can be network packets that are selected by the packet brokers through packet filters and related packet forwarding rules that identify particular packets or packet flows from within the monitored network traffic as traffic of interest.
Network packet analysis tools include a wide variety of devices that analyze packet traffic, including traffic monitoring devices, packet sniffers, data recorders, voice-over-IP monitors, intrusion detection systems, network security systems, application monitors, and/or other network tool devices or systems. Network analysis tools, such as traffic analyzers, are used within packet-based data networks to determine details about the network packet traffic flows within the packet communication network infrastructure.
Certain network communication systems also include virtual processing environments that include virtual machine (VM) platforms hosted by one or more VM host servers. For example, network applications and resources can be made available to network-connected systems as virtualized resources operating within virtualization layers on VM host servers. In some embodiments, processors or other programmable integrated circuits associated with a server processing platform (e.g., server blade) and/or combinations of such server processing platforms operate to provide virtual machine platforms within the server processing platforms. A virtual machine (VM) platform is an emulation of a processing system or network application that is formed and operated within virtualization layer software being executed on a VM host hardware system. By operating multiple VM platforms and/or application instances within such a virtualization layer also operating on VM host hardware system, a variety of processing resources can be provided internally to the virtual processing environment and/or externally to other network-connected processing systems and devices.
When a network to be monitored includes virtual processing environments, however, difficulties arise in identifying and controlling risky packet traffic for network communications with VM platforms operating within such virtual processing environments to provide various application resources. For example, web based computing services (e.g., Amazon web services) allow a wide variety of external network-connected users to obtain dedicated and elastic processing resources within virtual processing environments running on a large number of interconnected servers. These external users can install, initialize, and operate a wide variety of user applications as instances within VM platforms operating within the virtual processing environment. Further, the external users can be corporate or commercial entities that provide multiple different application services to employees and/or end-user consumers of the processing resources. Identifying and controlling risking packet traffic is difficult within such virtual processing environments.
For some solutions, a network firewall application is used within a processing system to ask a user whether a network service should be allowed network access when it starts running within the processing system. If the user selects not to allow network access, the network service is isolated from packet communications with the network. Similarly, this network firewall application can also ask the user whether a particular network source should be allowed to access to the network service operating within the processing system. If the user selects not to allow access from the network source, incoming packets directed to the network service are dropped. However, this micro-segmentation of access, where access to network services is blocked except for specifically allowed network sources, can create problems in the case of misconfigurations. For example, when a legitimate user-side network source attempts to use a network service and is unable to connect, the network source cannot determine whether the service is down, the network is down, or access is being blocked by security rules. It can be a very difficult to debug and correct this situation where access is being denied due to misconfigured application of security rules because packets are being dropped as part of the firewall's blocking of access.